[SECURITY] [DSA 2406-1] icedove security update

2012-02-0912:07:23

lists.debian.org

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.1 High

AI Score

Confidence

High

0.885 High

EPSS

Percentile

98.7%

JSON

Debian Security Advisory DSA-2406-1 [email protected]
http://www.debian.org/security/ Florian Weimer
February 09, 2012 http://www.debian.org/security/faq

Package : icedove
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-3670 CVE-2012-0442 CVE-2012-0444 CVE-2012-0449

Several vulnerabilities have been discovered in Icedove, Debian's
variant of the Mozilla Thunderbird code base.

CVE-2011-3670
Icedove does not not properly enforce the IPv6 literal address
syntax, which allows remote attackers to obtain sensitive
information by making XMLHttpRequest calls through a proxy and
reading the error messages.

CVE-2012-0442
Memory corruption bugs could cause Icedove to crash or
possibly execute arbitrary code.

CVE-2012-0444
Icedove does not properly initialize nsChildView data
structures, which allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly
execute arbitrary code via a crafted Ogg Vorbis file.

CVE-2012-0449
Icedove allows remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute
arbitrary code via a malformed XSLT stylesheet that is
embedded in a document

For the stable distribution (squeeze), this problem has been fixed in
version 3.0.11-1+squeeze7.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: [email protected]

OSVersionArchitecturePackageVersionFilename
Debian6mipseliceape-browser< 2.0.11-10iceape-browser_2.0.11-10_mipsel.deb
Debian6powerpcspidermonkey-bin< 1.9.1.16-12spidermonkey-bin_1.9.1.16-12_powerpc.deb
Debian5armxulrunner-1.9-dbg< 1.9.0.19-16xulrunner-1.9-dbg_1.9.0.19-16_arm.deb
Debian5amd64libmozjs1d-dbg< 1.9.0.19-16libmozjs1d-dbg_1.9.0.19-16_amd64.deb
Debian5i386xulrunner-1.9< 1.9.0.19-16xulrunner-1.9_1.9.0.19-16_i386.deb
Debian5armelxulrunner-1.9-gnome-support< 1.9.0.19-16xulrunner-1.9-gnome-support_1.9.0.19-16_armel.deb
Debian6ia64iceweasel< 3.5.16-12iceweasel_3.5.16-12_ia64.deb
Debian6kfreebsd-amd64iceape-dbg< 2.0.11-10iceape-dbg_2.0.11-10_kfreebsd-amd64.deb
Debian6amd64iceape-browser< 2.0.11-10iceape-browser_2.0.11-10_amd64.deb
Debian5mipsxulrunner-1.9-dbg< 1.9.0.19-16xulrunner-1.9-dbg_1.9.0.19-16_mips.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	mipsel	iceape-browser	< 2.0.11-10	iceape-browser_2.0.11-10_mipsel.deb
Debian	6	powerpc	spidermonkey-bin	< 1.9.1.16-12	spidermonkey-bin_1.9.1.16-12_powerpc.deb
Debian	5	arm	xulrunner-1.9-dbg	< 1.9.0.19-16	xulrunner-1.9-dbg_1.9.0.19-16_arm.deb
Debian	5	amd64	libmozjs1d-dbg	< 1.9.0.19-16	libmozjs1d-dbg_1.9.0.19-16_amd64.deb
Debian	5	i386	xulrunner-1.9	< 1.9.0.19-16	xulrunner-1.9_1.9.0.19-16_i386.deb
Debian	5	armel	xulrunner-1.9-gnome-support	< 1.9.0.19-16	xulrunner-1.9-gnome-support_1.9.0.19-16_armel.deb
Debian	6	ia64	iceweasel	< 3.5.16-12	iceweasel_3.5.16-12_ia64.deb
Debian	6	kfreebsd-amd64	iceape-dbg	< 2.0.11-10	iceape-dbg_2.0.11-10_kfreebsd-amd64.deb
Debian	6	amd64	iceape-browser	< 2.0.11-10	iceape-browser_2.0.11-10_amd64.deb
Debian	5	mips	xulrunner-1.9-dbg	< 1.9.0.19-16	xulrunner-1.9-dbg_1.9.0.19-16_mips.deb